There are presently a plurality of payment schemes for conducting commerce, electronic commerce (e-commerce) and mobile commerce (m-commerce) transactions.
One such payment scheme is the basic four-party model. The four-party model involves an issuer, which is typically a financial institution, a customer to whom payment credentials are issued by the issuer, a merchant, and an acquiring institution, which is typically the merchant's financial institution. When conducting a transaction, such as paying for goods or services, the customer presents the payment credentials to the merchant. The merchant then captures these payment credentials and forwards them to its acquirer. The acquirer and issuer are in communication with each other via a payment processing network, such as VisaNet®, and the acquirer communicates the payment credentials and other transaction information provided by the merchant, such as a transaction value, to the issuer using the payment processing network so as to complete the transaction.
E-commerce transactions may work in a similar manner, except in that the payment credentials are typically provided by the customer to the merchant from a remote location, such as over the internet or by means of a telephone call.
While most payment schemes include the presentation and use of static payment credentials that are issued to the customer, some types of m-commerce transactions use single-use payment credentials that are sent to a consumer's mobile phone upon request by the consumer. The single use payment credentials may then be presented to the merchant who then forwards the payment credentials on to an acquirer so as to complete the transaction.
While payment schemes such as these have been successfully implemented and widely used, they suffer at least some disadvantages. The issuing of the payment credentials by the issuer to the customer is usually done “in the clear”. For example, single-use payment credentials issued in an m-commerce environment may be sent over an unencrypted short messaging service (SMS) message. In other cases, static payment credentials may be issued to the customer on a physical card such as a credit card, where those payment credentials can easily be read by anyone who looks at or magnetically or electronically reads the card.
The presentation of the payment credentials by the customer to the merchant is also usually in the clear. The payment credentials may be provided by the customer to the merchant over the telephone, or may be entered into a website. While many merchants may take extreme care in protecting the payment credentials, such as by meeting Payment Card Industry (PCI) requirements, payment credentials may be fraudulently obtained by unscrupulous merchants or third parties.